What is ViperSoftX Malware? How to Protect from ViperSoftX Malware?

Google Chrome is a popular open-source browser used to access the internet and run multiple web applications; It is one of the most trustable browsing platforms all around the world. Even so, there are multiple attacks targeting google chrome, as it is the best place to steal credentials or other sensitive information.

In this article, we will discuss one of the wildly exploited attacks where the Google chrome extension was seen used as a cryptocurrency stealer, ViperSoftX Malware. Let’s see what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware.

What is a google chrome extension? Are they safe?

A google chrome extension is nothing but a software program that enhances user experience by providing customized features. Chrome extensions are built on web technologies such as CSS, HTML, and JavaScript.

A vast majority of extensions are considered safe however the concern is when it comes to permission, as it can access sensitive and critical information. They can be a potential attack vector if not managed correctly. Let’s look into one such case.

What is VipersoftX Malware?

ViperSoftX is a Windows malware that deploys a Google Chrome extension named ‘VenomSoftX’. This is an information stealer malware with very interesting obfuscation capabilities. ViperSoftX is a JavaScript-based RAT (remote access trojan), it was initially observed in the early 2020s, but these malwares have grown extensive and is being actively exploited recently.

ViperSoftX is mostly distributed via cracked software like Microsoft Office, Adobe illustrator, etc. These are also spread via torrent downloads. Only windows users have been impacted so far.

Recent Campaign Activity – Victims of ViperSoftX Malware Campaign 

As per Avast, they have protected more than 93,000 users from this malware. This malware is distributed all around the world, mostly via torrent files or software-sharing sites. The most impacted countries are India (7,000+), the USA (6,000+), and Italy (5,000+).

What is ViperSoftX Malware? How to Protect from ViperSoftX Malware?
Impacted countries since the beginning of 2022 Source: Avast

As of 8th November 2022, a total of $130,421.56 have been stolen by ViperSoftX and VenomSoftX from stolen cryptocurrencies. The below table shows an estimate of attacker earnings from multiple cryptocurrency wallets.

Cryptocurrency Earnings   in cryptocurrency ~Earning   in USD
Bitcoin 5.947 BTC $116,812.81
Ethereum 5.312 ETH $7,826.13
Dogecoin 34,355.528   DOGE $3,474.47
Bitcoin   Cach 9.11997194   BCH $1,021.39
Cosmos   (ATOM) 65.153   ATOM $846.44
Tezos 191.445553   XTZ $241.32
Dash 4.72446445   DASH $199
Source: Avast

How Does ViperSoftX Malware Campaign Work?- Attack Flow

This section is more focused on how ViperSoftX Malware is misused as a Cryptocurrency Stealing Google Chrome extension.

ViperSoftX pretends to be a cracked software as the victim downloads it. This malware is commonly named patch.exe or activator.exe. Activator.exe is the loader that decrypts data from itself using AES, the decrypted loader reveals five different files:

  • ViperSoftX PowerShell payload hidden as a log file
  • XML file (task scheduler)
  • A schedule task is created, and persistence is established using the VBS file
  • Cracked application binary
  • manifested file

The log file will usually be more than 5 MB and contains a single malicious line of code. This file will be stored under different names such as “driver” or “log” or a “text” file.

ViperSoftX malware is very skilled in hiding itself. Before executing the payload, it is protected by 8 layers of code obfuscation. 3 major types of obfuscation techniques used are:

  1. AES decryption: this will be the first layer
  2. Converting char arrays: usually, the 3rd layer and has a simple functionality of calculating a hard coded array of characters.
  3. UTF8 Decoding: this contains multiple code snippets, this type of decoding is the most recurring DE obfuscation layer

ViperSoftX achieves persistence by creating a copy of itself in %APPDATA%. The attacker also tries to make it look trustable by using legitimate names such as vpn_port.dll, and install.sig etc. The malware also drops another script file and creates a shortcut in the startup directory to invoke it. This is a VBS script file that later executes ViperSoftX.

Features of ViperSoftX Malware

The primary features of ViperSoftX include the following,

  • Stealing cryptocurrency
  • Fingerprinting the infected machine
    • Computer name and Username
    • OS information and its architecture
    • Any antivirus or other security software Installed and whether the solution is active or not.
  • Clipboard swapping
  • Command execution
  • Downloading and executing payloads

As we already mentioned, one of the critical payloads used by ViperSoftX is the chromium-based browser extension VenomSoftX. This extension has multiple unique features which provide complete access to every website the victim visit. It also could execute man-in-the-browser attacks to steal cryptocurrency by tampering with crypto addresses (API request tampering) on popular cryptocurrency exchanges. The stolen information and fingerprint are concatenated into one string, further encoded by base 64, and is shared with the hardcoded C&C server.

ViperSoftX scans the copied clipboard text content using predefined regular expressions, and if the expression matches any configured wallet address, the malware replaces the content with the attacker address notification to command and control. This is done in the X-notify HTTP header in the below format ‘Cryptocurrency type – victim’s address – attacker’s address.’

The attacker hides the malware as a chrome browser extension masqueraded as “Google Sheets 2.1” which is supposed to be a google productivity app.

What is ViperSoftX Malware? How to Protect from ViperSoftX Malware?
Malicious extension (Credits: Avast)

ViperSoftX as a RAT (Remote Access Trojan)

ViperSoftX also provides RAT functionalities such as executing arbitrary commands downloading arbitrary payloads and executing itself, removing itself entirely from the system, etc. The malware can create an infinite loop and execute commands after every 3 seconds of sleep.

ViperSoftX passes information to the CNC server via the HTTP header, Where it provides OS information, computer name, username, etc. The commands implemented by ViperSoftX are:

Name Description Parameters
Ex Executes JS code using eval(). 1. JavaScript code
Cmd Runs a command through cmd.exe. 1. Command line
DwnlExe Runs a PowerShell script that downloads an additional file to a specified location under %TEMP%, sleeps for 20 seconds, and then executes the downloaded payload. 1. URL to download the file from 2. Path to save the file to
DwnlOnly Downloads a file to predefined folders. Optionally, despite the name of the command, it executea the downloaded payload, like DwnlExe. 1. URL from which to download the file 2. Name to save the file as. It is appended to the predefined folder path 3. Predefined destination folder: Startup, Temp, or Desktop  4. Boolean flag that indicates whether to also execute the file
SelfRemove  Executes PowerShell one liners to delete the script from %APPDATA%, the VBScript and shortcut in the startup directory.
UpdateS Removes all persistence for the current version and executes the new downloaded JS file. 1. URL to download the file from 2. Path to save the file to
Source: Fortinet

As observed by Fortinet, the malware author continue to use multiple JavaScript-based payloads. This shows that the developer is more comfortable using JavaScript as his preferable programming language.

How to protect from ViperSoftX Malware?

JavaScript-based malware are on trend now, and the obfuscation capability of this malware is amazing. While the functionality is simple. If closely monitored, VipersoftX Malware can be detected easily, as it uses plaintext communication using a header, as it will stand out from regular traffic.

Any communication with the IOCs mentioned should be monitored closely to avoid damage to the organization.

Indicator of Compromise (IOC) of ViperSoftX Malware

SHA256 –

  • 65cb35d1b09097aa64b89062a060b3bb680bc4c962ff116f32edf92735f401eb
  • 4bb342c21ff563454d2fdc25eb3e63731d06d20c1fca2522061ad1ef38a53c89
  • 391e4b6ffb90303547d20baaa5695f2c0191f5461bb20cb885e170dd019e017c
  • 9e63d2ac3dc280a25c27a126752fdde1c8c5a0c4b4990f479a44dd8441b22ab3

ViperSoftX 

File name SHA256
Activator.exe e1dc058fc8282acb95648c1ee6b0bc36b0d6b5e6853d4f602df5549e67d6d11a
Hidden log script first variant 0bad2617ddb7586637ad81aaa32912b78497daf1f69eb9eb7385917b2c8701c2
Hidden log script second variant 0cb5c69e8e85f44725105432de551090b28530be8948cc730e4b0d901748ff6f
ViperSoftX PowerShell 23b9075dac7dbf712732bb81ecd2c21259f384eb79ae8fdebe29b7c5a12d0519
ViperSoftX’s browser installer 5c5202ed975d6647bd157ea494d0a09aac41d686bcf39b16a870422fa77a9add

VenomSoftX

File name SHA256
content.bootstrap.js 3fe448df20c8474730415f07d05bef3011486ec1e070c67683c5034ec76a2fcb
manifest.json 0de9a23f88b9b7bda3da989dce7ad014112d88100dceaabca072d6672522be26
rules.json 1d6845c7b92d6eb70464a35b6075365872c0ae40890133f4d7dd17ea066f8481
webpack_block.js 7107ab14a1760c6dccd25bf5e22221134a23401595d10c707f023f8ca5f1b854
webpack_bnb.js ddee23e2bfd6b9d57569076029371e6e686b801131b6b503e7444359d9d8d813
webpack_cb.js 947215a1c401522d654e1d1d241e4c8ee44217dacd093b814e7f38d4c9db0289
webpack_common.js 7b75c1150ef10294c5b9005dbcd2ee6795423ec20c512eb16c8379b6360b6c98
webpack_content.js d7dfc84af13f49e2a242f60804b70f82efff7680cddf07f412667f998143fe9c
webpack_gt.js 4da1352e3415faa393e4d088b5d54d501c8d2a9be9af1362ca5cc0a799204b37
webpack_kuc.js 705deecbbb6fd4855df3de254057c90150255c947b0fb985ea1e0f923f75a95f

C&C communication

  • api.private-chatting[.]com
  • apps-analyser[.]com
  • wmail-blog[.]com
  • wmail-service[.]com
  • seko[.]vipers[.]pw

MITRE Techniques

  • T1027 (Obfuscated Files or Information)
  • T1059.001 (PowerShell)
  • T1059.007 (JavaScript)
  • T1115 (Clipboard Data)
  • T1140 (Deobfuscate/Decode Files or Information)
  • T1176 (Browser Extensions)
  • T1189 (Drive-by Compromise)
  • T1204.002 (Malicious File)
  • T1496 (Resource Hijacking)

List of wallet addresses

Cryptocurrency Address
ADA addr1q9c27w7u4uh55sfp64ahtrnj44jkthpe7vyqgcpt73z9lrq7fw3juld8k2ksz2p82tv45j8yc5wzqmr4ladxyt0vjxrsf33mjk
ATOM cosmos1mcah8lel6rxhlqsyrzpm8237cqcuzgyw70nm6f
BNB bnb1u64a2n3jhw4yh73s84rc58v8wxrwp7r8jwakpr
BNB bnb1vmwl54jxj9yvsgz33xtyuvqnurdjy2raqnttkq
BTC 1L8EBHDeiHeumtcpcroaxBceXnWFiYU5dh
BTC 1PRMMQgM65KDtMTryu9ccpeAgUmKqDrE9M
BTC 1Pqkb4MZwKzgSNkaX32wMwg95D9NfW9vZX
BTC 32Wx3dsHCCxyJZLwseFYkgeFqVk16tCCcF
BTC 3JvBvRuBfYvB6MjzMornj9EQpxhq9W7vXP
BTC bc1qn6ype8u5kgj672mvsez9wz9wt9wk22tzd5vprp
BTC bc1qxgz2g8kn2kg0wqqrmctyxu5n925pnwphzlehaw
BTC qq9yrhef7csy3yzgxgs0rvkvez440mk53gv8ulyu6a
BTC qqh3g98z60rdl05044xxt7gkgncezmdfy5tja99z53
DASH XdxTmTFuHrcHnQQhfweAnHtExFB5BXmU1z
DASH Xtwj8uGx77NYBUki1UCPvEhe4kHYi6yWng
DOT 122zNSYNN2TSR2H5wBCX16Yyvq7qLFWo1d6Lvw2t9CNxMxt1
DOGE DDxhfK5wbJkRN25mAbBYk3ND4xLjiMRyNq
DOGE DUUNTm23sVwLyiw27WW9ZPT9XfiWhB1Cvf
ETH 0x9d787053f9839966A664b0e14e9C26a3684F6E44
ETH 0x12507F83Dde59C206ec400719dF80D015D9D17B6
ETH 0x884467182849bA788ba89300e176ebe11624C882
KAVA kava1emxzwjw84e0re7awgue9kp4gseesyqrttg69sm
SOL 7j5bxiFPSsScScBEjLj9qud5Yc2CqXGmembX3hQBdFTd$
USDT TDJLMdJWPrKNMHuxgpQL8QPYgvdXTnWJao
XMR 475WGyX8zvFFCUR9ufThrNRtJmzmU13gqH9GV2WgAjbR7FgRVCWzokdfVf2hqvRbDBaMzBm1zpDiBTpBgxLt6d7nAdEEhC4
XMR 48qx1krgEGzdcSacbmZdioNwXxW6r43yFSJDKPWZb3wsK9pYhajHNyE5FujWo1NxVwEBvGebS7biW9mjMEWdMevqMGmDJ6x
XRP rH6dyKWNpcvFz6fQ4ohyDbevSxcxdxfSmz
XRP rpzn8Ax7Kz1A4Yi8KqvzV43KYsa59SH2Aq
XTZ tz1g6rcQAgtdZc8PNUaTUzrDD8PYuCeVj4mb
ZEC t1XjiZx8EydDDRuLisoYyVifcSFb96a3YBj
ZIL zil1aw3kyrymt52pq2e4xwzusdfce9e5tmewvshdrm

We hope this article helped in understanding what is ViperSoftX Malware, how ViperSoftX Malware is misused as a cryptocurrency stealing Google chrome extension, and how to protect from ViperSoftX Malware. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/293846.html

(0)
上一篇 2022年11月28日
下一篇 2022年11月28日

相关推荐

发表回复

登录后才能评论